Closed Bug 291640 (CVE-2023-37203) Opened 20 years ago Closed 1 year ago

Drag and drop can create shortcuts to local files

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

Product:
Core
Component:
DOM: Copy & Paste and Drag & Drop
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox113 --- wontfix
firefox114 --- wontfix
firefox115 --- fixed

People

(Reporter: pvnick, Assigned: Gijs)

References

(
URL
)

Details

(Keywords: sec-moderate, Whiteboard: [sg:moderate][adv-main115+] high with cooperation from the victim)

Attachments

(3 files, 3 obsolete files)

Bug 291640, r?emilio
48 bytes, text/x-phabricator-request
Details | Review
Bug 291640, r?mak
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
318 bytes, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

In the page javascript:'Drag this broken image to the desktop:<img
src="C:/windows/system32/cmd.exe">', dragging the broken image to the desktop
will create a shortcut to cmd.exe, which, when opened, will spawn cmd.exe

Reproducible: Always

Steps to Reproduce:
1.javascript:'Drag this broken image to the desktop:<img
src="C:/windows/system32/cmd.exe">'
2. drag broken image to desktop
3. double click new icon on desktop
Actual Results:  
cmd.exe opened

Expected Results:  
executable files shouldnt be draggable
ok, this one is real, and i can make it more dangerous pre sp2.

however, it's all limited to the 1.0 branch, i had someone test for me on trunk
and none of the cases i provided worked.
Version: unspecified → 1.0 Branch
Confirming on 1.0.3.  In XPSP2, dragging to the desktop prompts me to add it as
an Active Desktop item, but dragging it to a folder creates a .url shortcut,
which will launch the application when double clicked.  In SP2 this has a
security prompt before it actually launches.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Is there a way to influence the name of the link? If it looks like <blah>cmd.exe
it's kind of on the user if they click it. You're not dragging the exe itself,
just a shortcut. Is there a way to pass parameters? That would certainly make
this more dangerous.
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.4?
yes there is. i'll explain elsewhere.
Blocks: sbb?
Assignee: bugs → dveditz
Flags: blocking1.8b3+
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
Product: Firefox → Core
Whiteboard: [sg:fix]
Not going to make the 1.0.5 train, but need to look into this for future 1.0.x
release.
-'d per drivers meeting
Flags: blocking-aviary1.0.5+ → blocking-aviary1.0.5-
Flags: blocking-aviary1.0.6+
Flags: blocking1.8b4+
Flags: blocking1.8b3-
Flags: blocking1.8b3+
would be nice to fix, not critical for aviary1.5 (dveditz)

/cb
Flags: blocking1.8b4-
Flags: blocking1.8b4+
Flags: blocking-aviary1.5-
Flags: blocking-aviary1.5+
Flags: blocking-aviary1.0.7-
Flags: blocking-aviary1.0.7+
QA Contact: ali → ian
Did the patch in bug 285438 take care of this bug?
Whiteboard: [sg:fix] → [sg:moderate] critical with cooperation from the victim
Version: 1.0 Branch → 1.7 Branch
Is this still an issue? Does it need to remain hidden?
I just tested this using Windows 7 and the latest trunk nightly and this appears to still be a problem. Dragging the test icon to the desktop creates a shortcut to the executable that will execute without any prompts.

I don't know enough about security expectations with this sort of thing to know how big of a problem this is.
This is only really a problem in combination with file-planting attacks or other things. But in any case we should fix it, probably doing a checkLoadURIWithPrincipal to see whether the website is allowed to link to that thing.
Version: 1.7 Branch → Trunk
Neil - can you look into this?
Assignee: dveditz → enndeakin
Attached patch patch (obsolete) — Splinter Review 
This patch does the basic implementation. There are two issues I am not sure how to deal with:

 - the test displays a 'grant privileges dialog'.
 - test testcase in the first comment uses a file path not a url.

But this patch is a suitable starting point.
Attached patch Patch version 2, fix up test (obsolete) — Splinter Review 

        Attachment #603406 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 612661 [details] [diff] [review]
Patch version 2, fix up test

Not sure entirely about this patch as it doesn't fix the reported issue. Wondering if it would be better to have the platform-specific widget layer reject creating links to local files somehow.

        Attachment #612661 -
        Flags: feedback?(bugs)

    
    

    
  
Why would it have to be platform-specific?
Couldn't we whitelist the allowed schemes, or at least blacklist javascript: ?

    
    

    
  
(In reply to Olli Pettay [:smaug] from comment #16)
> Why would it have to be platform-specific?
> Couldn't we whitelist the allowed schemes, or at least blacklist javascript:
> ?

'javascript:' isn't used here.

The bug here is in preventing:
  event.dataTransfer.setData("text/x-moz-url-data", "c:/builds/");
which isn't actually a URL and Windows translates it in some manner when creating a shortcut.

    
    

    
  
Comment on attachment 612661 [details] [diff] [review]
Patch version 2, fix up test

Ah, ok. Sounds like widget layer fix is needed.

        Attachment #612661 -
        Flags: feedback?(bugs)

    
  
Group: core-security → dom-core-security

    
  
Assignee: enndeakin → nobody

    
  
Group: dom-core-security → firefox-core-security
Product: Core → Firefox
QA Contact: ian

    
    

    
  
In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.


Severity: major → --

    
  
Duplicate of this bug: 1828429

    
  
Assignee: nobody → gijskruitbosch+bugs

    
    

    
  

      
      
      
      

        Attached file
          
        Bug 291640, r?emilio
      

    


  

    
  
Group: firefox-core-security → dom-core-security
Component: File Handling → DOM: Copy & Paste and Drag & Drop
OS: Windows XP → All
Product: Firefox → Core
Hardware: x86 → Desktop

    
  
Blocks: 1832266

    
    

    
  
Filed bug 1832266 for tests.



    
    

    
  
r=emilio

https://hg.mozilla.org/integration/autoland/rev/c8f66e4894442df742c8b2b29be26a2937c193be

https://hg.mozilla.org/mozilla-central/rev/c8f66e489444


Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago

          status-firefox115:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch

        Attachment #612661 -
        Attachment is obsolete: true
Severity: -- → S2

    
    

    
  
This fix works for file: but appears to be incomplete for c:/ links.


Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
  
Group: core-security-release → dom-core-security

          status-firefox115:
          fixedaffected

    
    

    
  
Hm, so the reason I didn't catch this originally is that it seems that we are more strict than Windows in how we parse Windows paths into URLs. Specifically, a link that points to: C:\Users gets transformed to file:///C:/Users (and blocked, on current nightly already) but a link to C:/Users does not. This causes problems when we then pass this information to Windows and it does then interpret the target as a file path.


The simplest fix is to change the URI fixup parser to also recognize this syntax as a file URI, here. It's worth noting that just setting attemptFixup to true in that case is insufficient: our Windows path parsing code will fail to initialize the file when the path is made up of forward slashes instead of backslashes.


I have a patch for this. It passes urlbar and docshell urifixup unit tests without changes... in principle it shouldn't end up impacting any web content because we'd primarily use nsIURI for security checks and navigation, rather than fixup. I think fixing up C:/Users/ in the URL bar to file:///C:/Users/ (instead of a search query with the default search provider) is probably a net win, but if we think that may be in doubt we could put it behind a fixup flag and/or pref.



    
    

    
  

      
      
      
      

        Attached file
          
        Bug 291640, r?mak
      

    


  
Whiteboard: [sg:moderate] critical with cooperation from the victim → [sg:moderate][adv-main115+] critical with cooperation from the victim

    
    

    
  

      
      
      
      

        Attached file
          
        advisory.txt (obsolete)
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        advisory.txt
      

    


  

        Attachment #9341326 -
        Attachment is obsolete: true

    
  
Alias: CVE-2023-37203
Whiteboard: [sg:moderate][adv-main115+] critical with cooperation from the victim → [sg:moderate][adv-main115+] high with cooperation from the victim
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: